On Thu, 30 Aug 2001, Bart Haezeleer wrote: > 64.225.196.160 - - [24/Aug/2001:21:02:21 +0200] "GET /NULL.printer > HTTP/1.0" 404 280 Someone is checking if you're vulnerable to this: http://www.securityfocus.com/bid/2674 If you are, it's something to worry about. I think the 404 indicates that you're probably OK, but check anyway. We've been seeing a lok of .printer attempts lately.. For people who are vulnerable, you'll get no indication in the web logs that a successful exploit happened. The only clue is a w3svr restart in the event logs. I tried a couple of the exploits for this hole when it can out, and they work really well. > 63.251.5.46 - - [30/Aug/2001:09:20:04 +0200] "GET > http://www.yahoo.com/index.html HTTP/1.1" 200 2890 We get stuff like this every once in a while on our web servers. I don't know why. I imagine it could happen if someone's DNS got confused or modified... but I don't know what the point is. Ryan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Sep 01 2001 - 10:38:33 PDT